img > Issue XLVII: February 2011 > SOA Governance in the Cloud
Pethuru Cheliah

Pethuru Cheliah


Dr. Pethuru Raj has been working as a TOGAF-certified enterprise architecture (EA) consultant in Wipro Technologies, Bangalore. On the educational front, armed with the competitive UGC research fellowship, he could proceed with his research activities and was awarded the prestigious PhD degree by Anna University, Chennai, India. He then could acquire the meritorious CSIR fellowship to work as a postdoctoral researcher in the Department of Computer Science and Automation (CSA), Indian Institute of Science (IISc), Bangalore. Thereafter, he was granted a couple of international research fellowships (JSPS and JST) to work as a research scientist for 3 years in two leading Japanese universities. Dr. Raj also had a fruitful stint as a lead architect in the corporate research (CR) division of Robert Bosch, India, for 1.5 years.

Dr. Raj has more than 12 years of IT industry experience. Primarily, he has been a technical architect and currently he is providing technology advisory services for worldwide business behemoths on the transformation capabilities of enterprise architecture (EA) in synchronization with some of the emerging technologies such as the Internet of Things (IoT) / Cyber Physical Systems (CPS) / Machine-to-Machine (M2M) Integration, Big Data, Cloud and Service Computing paradigms, Real-time Analytics of Big data using Cloud-based NoSQL databases, Hadoop framework, etc. and Mobility. He has made use of the opportunities that came on his way to focus on a few business domains, including telecommunication, retail, government, energy, and health care.

Dr. Raj has contributed book chapters for a number of technology books that were edited by internationally acclaimed professors and published by leading publishing houses. Currently he is writing a comprehensive book with the title "The Internet of Things (IoT) Technologies for the Envisioned Smarter Planet" for a world-leading book house. The CRC Press, USA has just released his book on "Cloud Enterprise Architecture" and you can find the book details in the page


rss  subscribe to this author


SOA Governance in the Cloud

Published: February 15, 2011 • SOA Magazine Issue XLVII PDF


Cloud computing has been making waves in the business–enabling IT arena. Its impacts on both business and IT are definitely multifaceted and mesmerizing. Conceptually, the cloud style has inspired scores of nimbler business, delivery, consumption and pricing models. On the infrastructural side, cloud has emerged as the robust and resilient infrastructure for optimally hosting, managing, and delivering next–generation services and applications. Cloud is being positioned as the consolidated, virtualised, automated, shared, and quality of service (QoS)–compliant infrastructure. Having understood its strategically sound business and technical benefits, global enterprises are quick in embracing this disruptive and transformative IT platform.

Following the footsteps of the enterprise IT, embedded IT (the device space) very positively and progressively jumps into the cloud bandwagon. There are several transnational and transformational initiatives for producing competent open architectures with frameworks that facilitate seamless connectivity and service–level integration between embedded devices and cloud. Market onlookers forecast that the cloud idea will be massively adopted across the globe and adapted accordingly by IT service and solution providers. The cloud model has opened up fresh possibilities for the scores of unresolved IT problems. IT brings forth innumerable opportunities to sustain the IT dynamism and momentum. Cloud is being recognized as the most powerful and promising technology for the future of IT.

Along with the enterprise and the embedded IT, the cloud IT is to support the IT evolution and revolution continuously and consistently for the years to unfold. In a nutshell, the grand arrival and overwhelming acceptance of the cloud platform will cause a transition from the stagnant, expensive, and closed IT into an elegant, elastic, green, clean and catalytic IT. The brewing cloud idea has demonstrably brought in tectonic and tremendous shifts in the way that IT is being approached, applied, and articulated.

Cloud Governances Comes to the Rescue

In the midst of all the hype and hope, there are some doubts lingering in the minds of many today. Corporations are not fully convinced and confident about moving their data (especially corporate and confidential information) to the cloud because of the inherent security fears. There are some serious apprehensions about the evolving and exploding cloud platform. Some of the risks associated with the current cloud IT includes: availability, erosion of data integrity, data replication and consistency issues, privacy, lack of auditing and logging visibility, potential for regulatory violations, application sprawl & dependencies, inappropriate usage of services, difficulty in managing intra–cloud, inter–cloud, and cloud and non–cloud interactions and resources. The overwhelming response for these ills and issues is the much–discussed and deliberated "cloud governance". Thankfully, in many ways, we can apply what we have already invested, implemented, and learned in SOA governance directly to the perils of cloud. That is, cloud governance is in a way a direct and distinct extension of SOA governance. In this section, we describe what we can apply from our existing SOA governance knowledgebase and what new things are needed in order to have a robust cloud governance in our fast–growing cloud environment and ecosystem.

Cloud Governance Types

Design–Time Cloud Governance

Today we have our own SOA platforms and infrastructures for designing, developing, debugging, and deploying services and applications. Policies are adroitly applied to safeguard the assets from any unwanted loss and mischievous interactions. With the maturity and stability of cloud platforms, designers and developers are tempted to embrace cloud platforms for affordable and agile development. Most of the cloud infrastructure providers therefore extensively quote the simplicity quotient of cloud–based service engineering. However service implementation in clouds is beset with innumerable risks. SOA governance tools and engines could take care of service engineering in local environments. However, cloud providers do not have the enhanced SOA governance platforms in the cloud yet. There are some practical difficulties in simply moving governance products to cloud servers as cloud computing brings in some unique propositions to the IT world. Further on, there is no central placeholder for cloud consumers/developers to view the services and associated policies. Change and version control are other trickling troubles.

Apart from SOA governance engines at the cloud side, service registry repository in cloud is very much essential for cloud–based software engineering to become pervasive and popular. Sharing and synchronization among diverse and distributed services have to be sorted out to enhance the comfort zone. Furthermore, design–time policies are easily enforceable when we have the right control over the development and QA processes. It is very difficult to enforce policies if we are developing services in a remote and third–party cloud due to lack of controllability, visibility, accountability and auditability. Besides conceiving cloud–specific policies by industry players and cloud users, SOA governance vendors strategizing to move to the cloud landscape too need to do several things urgently to gain the control in order to avoid the impending chaos and failure. Cloud service providers (CSPs) have to take stringent measures and formulate appropriate mechanisms in order to give a sense of infallibility to their global subscribers and developers. Only then will they adopt clouds for design and development purposes.

Many reckon that design–time governance is only concerned with service design and development. Todd Biske in one of his blogs notes that governance should actually be thought of in three timeframes; "pre–project, project, and runtime." As he explains it:

"There's a lot more that goes on before runtime than design, and these activities still need to be governed. It is true that if you're leveraging an external provider, you don't have any need to govern the development practices. You do, however, still need to govern the processes that led to the decision of what provider to use; The processes that define the service contract between you and the provider, both the functional interface and the non–functional aspects; and the processes executed when you add additional consumers at your organization of externally provided services."

Run–Time Cloud Governance

The mandate of SOA runtime governance has brought in scores of runtime policies to be utilised during service execution. Cloud platforms and infrastructures per se make the runtime monitoring, management, and governance more complicated. Data residing on cloud systems that are situated in other countries or legal jurisdictions are beset with integrity and confidentiality problems. The much–needed control is absolutely missing here. Furthermore, remote cloud systems are unlikely to have the same security standards as we have in our own internal and local server machines. This means that our security policies need to be that much more granular. We cannot count on perimeter–based approaches to secure our data or service assets from any kind of attacks and usurps. Every message needs to be subjected to severe scrutiny and we need to separate service and data policy definition from enforcement. As known widely, Cloud doesn't simplify security issues in any way and instead it aggravates the perpetual security conundrum.

Cloud reliability is another hanging issue. Cloud service may not be available and even the cloud itself may go down due to any unexpected outage. That is, the cloud server may slow down or even breakdown letting down the users all of a sudden. Will there be an internal SOA infrastructure ready to handle users' requests in this scenario? If then, doesn't that entirely kill the economic benefits of cloud in the first place? An effective cloud governance approach therefore must provide the means to control, monitor, and adapt services, both with on–premises and cloud–based implementations. In addition, there has to be a consistency between internal SOA & cloud SOA. Users need not worry whether their requests are being supplied by local or remote servers. Location independence, technology transparency, and loose–coupling are the hallmarks of cloud. To make this a reality, the management and governance aspects have to span across SOA infrastructure boundaries. Cloud policies and their enforcement hence have to be very comprehensive and insightful to be accommodative for all kinds of situation, technological and business.

Data and compliance issues can be the most perplexing. Most third-party cloud providers are hesitant to provide auditing and logging facility that is very much demanded from most compliance and regulatory requirements. This has to be taken up with cloud providers while signing the contract. Diverse, distributed and decentralised clouds are getting linked up and cloud services are integrated and composed for realizing composite, business-aware and process–centric cloud services. Service aggregation and intermediation are set to become an important step towards conceiving, constructing and delivering versatile cloud brokerage services, which will become very popular and demanded with the increased adoption of the cloud platform. In such a situation of endless information flow, information leakage, data and service quality need to be given utmost attention. This is done through well–defined usage policies that come handy in controlling the excessive abusive use of cloud services and data in an unauthorised fashion.

One way to solve this problem is through the use of network intermediaries, gateways or special appliances (physical or virtual) that keep track of all traffics flowing between the corporate network and the cloud. Also cloud–to–cloud data exchange (inter–cloud connectivity) too can be protected via this scheme. Currently the information flow between local, on–premise and enterprise servers and on–demand, online, remotely hosted and managed, and off–premise cloud systems is drawing huge attention of cloud–subscribers and CSPs. Intermediaries can scan cloud–bound data for any leakage or pilferage of customer and corporate data, filter traffic according to set-in specific rules, apply access policies to cloud services, provide visibility into authorized and unauthorized usage of cloud services, and prevent unsanctioned use of cloud services by internal staff. However this gateway kind of mechanism does not guarantee the information security among services within a cloud (intra–cloud communication). Thus the governance of cloud systems under production and operation has to take care of several concerns carefully and collectively. As cloud servers are supposed to be high–performing and assuring, policy–engineering, enablement and enforcement have become the critical and crucial portion in effectively and elegantly governing cloud environments.

Change–Time Cloud Governance

The last one is how to govern cloud resources that are liable to changes. Change management is an inseparable ingredient of software systems. Changes are bound to happen for any evolving system. Services can be replaced and substituted with vigorously implemented services. Performance tuning is a runtime factor. As systems are steadily transforming to be autonomous, the self–governance tenet has to be realised. Version control is the ancient and well–articulated method for tracking and managing all kinds of changes in software packages. Changes can occur via configuration and customization too. Services go through the stage of renovation. Changes in any form have to be tackled and handled with utmost care otherwise there can be bad repercussions. Efficient cloud governance techniques from SOA governance concepts can be smartly utilised for having apt versioning at all levels: service implementation, contract, process, infrastructure, policy, data, and schema. As cloud services are loosely coupled, there will not be any major impact on other services if there are some changes enacted on cloud services. The dependency factor is luckily not there and hence most of the inhibitions arising out of tighter coupling are nullified. However cloud testing discipline is getting its recognition lately and there are several tools exclusively for testing cloud resources. The bigger nuisance is that as far as cloud is concerned, resources can be verified and validated only in a production environment. That is capturing and capitalizing design-time and run-time changes remain a distant reality.


It is a undeniable fact that cloud computing will make a large impact on the future possibilities of IT. However, because of the many doubts and risks surrounding this new platform, organizations and IT members involved should be careful while embracing this new platform. In order to successfully implement cloud computing one needs to reflect on the vast knowledgebase attained through SOA governance and apply it accordingly, as well as have comprehensive and insightful policies/enforcement to accommodate changes that will occur in this evolving system.